Menu

Just Another Nanto Webblog's

How to Configure Basic NAT with Overloading?

Here’s a lab that might be helpful for those working towards the CCNA examination.

We have a simple topology consisting of three routers. R8 will simply be used as a host on our “internal” network and R7 will be used as our border router (the serial connection between R5 and R7 will represent our connection to the Internet):

The goal is to NAT any traffic originating on our internal network (R8) as it leaves the serial 0/0 interface on R7 on its way to the “Internet” (R5). Overloading (having multiple clients all NAT’d to the same IP address) is probably the most common implementation (especially for those of us who run NAT on a Cisco box at home!).

Next, we need to create an access-list to match the “internal” IP addresses (the ones we want to be NAT’d). In this case, our internal network is 172.168.78.0/24. Our ACL to match that network is simple:

R7(config-if)# ip access-list standard NAT

R7(config-std-nacl)# permit 172.16.78.0 0.0.0.255

Last, we’ll use the “ip nat …” command to actually instruct the router on what we want to NAT:

This tells IOS that any packets coming in the “inside” interface (fastethernet 0/1) that are permitted by the named access-list “NAT” will have their “source” address translated to the IP address assigned to “interface serial 0/0″. In addition, NAT translations will be overloaded — that allows multiple devices inside to be translated to the same IP address.

To verify that NAT is working properly, let’s start a “debug ip icmp” on R5. Then, we’ll attempt to ping R5 from R8 and see what happens:

So R5 saw the echo requests and sent echo replies back, but notice the IP addresses. The source IP address of the echo replies is 172.16.57.5 (R5), but the destination IP address is 172.16.57.7 (R7). We can be sure that NAT is working, in part because R5 does not have a valid route to R8′s “real” IP address, 172.16.78.8:

R5# show ip route | begin Gateway

Gateway of last resort is not set

172.16.0.0/24 is subnetted, 1 subnets

C 172.16.57.0 is directly connected, Serial0/0

R5# ping 172.16.78.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.78.8, timeout is 2 seconds:

…..

Success rate is 0 percent (0/5)

Be sure to check out the NAT translation table on R7, which should show a valid translation for the ICMP traffic that originated at R8:

R7(config)# do show ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 172.16.57.7:0 172.16.78.8:0 172.16.57.5:0 172.16.57.5:0

Finally, we can use “debug ip nat” on R7 to see what’s happening there. Let’s turn that on, then ping R5 from R8 again: